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Abstract. A safety claim for a system is a statement that the system, 
which is subject to hazardous conditions, satisfies a given set of prop- 
erties. Following work by John Rushby and Bev Littlewood, this paper 
presents a mathematical framework that can be used to state and for- 
mally prove probabilistic safety claims. It also enables hazardous condi- 
tions, their uncertainties, and their interactions to be integrated into the 
safety claim. This framework provides a formal description of the proba- 
bilistic composition of an arbitrary number of hazardous conditions and 
their effects on system behavior. An example is given of a probabilis- 
tic safety claim for a conflict detection algorithm for aircraft in a 2D 
airspace. The motivation for developing this mathematical framework is 
that it can be used in an automated theorem prover to formally verify 
safety claims. 


1 Introduction 

In [9,5], Rushby and Littlewood present a framework for formalizing safety 
claims for systems, which is illustrated with probabilistic safety claims in an 
automated theorem prover. In this paper, the mathematics behind their ideas 
is formalized. The mathematical framework presented will equip the reader to 
formalize a probabilistic safety claim about a system with an arbitrary number 
of hazardous conditions in a precise mathematical formula that can be proved 
in a theorem prover. One advantage that this adds to Rushby’s approach is that 
it provides a formal way for new hazardous conditions to be considered without 
changing the overall structure of the safety argument. 

A safety claim is a statement that a system will behave in a desired manner 
with an acceptable probability. A hazard is a state or set of conditions that, 
together with other conditions in the environment, will cause a system to enter 
an undesirable state. For more on terminology related to safety analyses and sys- 
tem hazards, see [4], In this paper, a potentially hazardous condition, referred to 
hereafter simply as a hazardous condition, is anything that may cause a system 
to behave in an unexpected or undesired manner. Examples of hazardous condi- 
tions may include such things as signal noise, timing delays, or interruptions of 
service. The number of hazardous conditions in a safety argument typically de- 
pends on the available expertise in analyzing the system, and it is important to 
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allow the safety claim to evolve as new factors are uncovered. Hazardous Condi- 
tions typically have uncertainties associated with them, and they can therefore 
be modeled as random variables. This paper proposes a formal mathematical 
framework for modeling hazardous conditions as random variables in a way that 
makes it possible to also model interactions between different hazardous con- 
ditions. The underlying concepts are due to Rushby [9], but this paper gives 
precise mathematical definitions of probabilistic safety claims and provides a 
concrete example of such a claim. The example presented is for a state based 
conflict detection system. 

In general, a probabilistic safety claim can be expressed as a mathematical 
formula stating that the probability of a certain event occurring is bounded in a 
specific range. Since new factors affecting system behavior may become known 
in the future, is desirable for the safety argument to be easily updated without 
reconstructing the entire argument. The mathematical formalism presented in 
this paper allows hazardous conditions to be modeled in a way that is modular 
and can handle the addition of new hazardous conditions. 

The interdependency between random variables, e.g., hazardous conditions, is 
modeled by probabilistic kernels , which uses the fact that the set of all hazardous 
conditions can be modeled via a concatenation of cr-algebras, as seen in [10]. A 
(j-algebra is a set of sets where it is possible to assign probabilities to elements 
in a consistent way, and is often used to model events. See Section 2.5 for more 
compete discussion of probabilistic kernels. 

The composition of hazardous conditions is formalized through the concate- 
nations of Lebesgue integrals. This allows hazardous conditions and assumptions 
to be incorporated into the formula in a modular fashion. The majority of the 
complexity is encapsulated in sub-formulas specific to the assumption or haz- 
ardous condition in question, while the main safety claim formula need only 
be modified in a limited and systematic fashion. The mathematics behind this 
formalization is presented in following sections. 


2 Systems 

Systems of interest are those that can modeled as well-defined functions with 
inputs and outputs. In this formalization, a system is a function S with n pa- 
rameters and m variables: 

S : (Ki x ... x K n ; L x x L 2 x . . . x L m ) -> To, 

where K \ , . . . , K n and L \ , . . . , L m are the types of the n parameters and m 
variables of S, respectively. The type To consists of the possible outputs of S, 
and if ki € Ki and lj € Lj , then S(k ±, . . . , k n ; l\, . . . , l m ) is an element of To- 
It will sometimes be useful to view the system S as only a function on its 
m variables l\, . . . , l m , where the n parameters k\, ... , k n are fixed, the nota- 
tion S/cj (li, , l m ) is used in place of S(k ±, . . . , k n ; l \, . . . , l m ). Because the 

system S will be modeled as a random variable in order to reason about it 
probabilistically, it is assumed that To is a measure space with tr-algebra tr(7o). 



The values k\ , . . . , k n of the parameters of the system are predetermined and 
their values, without any errors, are known to the system. In a real system, 
the values of the input variables are measured by the system, and 

the measurements can have errors. These errors may be due to either expected 
accuracy problems with instruments or faulty components in other systems from 
which the instruments receive data. In either case, events that can cause such 
measurement errors in the system are referred to as hazardous conditions , which 
are formally modeled in this context in Section 2.2. 

For a system described in this way, a probabilistic safety claim is a statement 
that, given some set of possible hazardous conditions, the probability that the 
value of the system S lies in a predetermined subtype Zq of To is contained in 
particular range \po,Pi\- 

2.1 Modeling Uncertainty in System Variables 

As noted above, the values of the n parameters k\ , . . . ,k n of the system S are 
known to the system without errors. The errors in the measurements of the input 
variables 1%, ... ,l m can be modeled as random variables 

1 f : 12 — y Lj 

where (17, a(i 7)) is a probability space (cr(l 7) is a tr-algebra on the set 17). Thus, 
given a fixed value k = {k \, . . . , k m } for the set of parameters, the system S 
becomes a random variable as well: 

S K : (I2,a(U))^(To,a(To)) 

S(k, ll(x), 1 2 (x)i • ■ • > lm(x)) G To- 

Thus, if Z 0 is any measurable subset of To (he. an element of er(7o)), and if the 
distributions of the random variables 1; are known, then the probability that the 
output of S K lies in Zq can be computed. 

2.2 Modeling Hazardous Conditions 

As noted in Section 2, the errors in the variables l\, . . . , l m of the system S may be 
due to either expected accuracy problems with instruments or faulty components 
in other systems from which the instruments receive data. Conditions in the 
environment of a system that can cause such measurement errors in the system 
are referred to as hazardous conditions. 

In a model of the environment of the system S, which includes the output 
of possible hazardous conditions, these conditions can be modeled as random 
variables 

H x : (rt,(r(rt))-> (7), a(T t )), 

where i > 1, 77 is an arbitrary type, and <r(7I) is a cr-algebra on 7). This mod- 
eling framework allows for the computation of the probability that a hazardous 
condition Hi takes values in a particular subtype of 7). 



2.3 Modeling All Possible Hazardous Conditions 


It is possible that the environment of a system S has an arbitrary number of 
hazardous conditions. Further, it may be the case that when developing a model 
of system behavior, only a few of these possible hazardous conditions are under- 
stood. Even in this case, the environment of the system can be modeled as an 
infinite product 

OO 

T = H T ‘- 

i = 0 

where To is the type of the output values of S, and for i > 1, 71 is the type 
of the output of the i-th hazardous condition Hi. This is a measure space with 
a — algebra a(T) = TlSo CT C W- This type of model is possible even though there 
are only finitely many hazardous conditions, because for i large enough, 71 can 
be defined to be a singleton set, and 77; : Q — >■ 71 as the trivial function. 

In general, for any choice k = {k\, . . . , k m } of system parameters, there is a 
random variable 

S K x J7i x H 2 x . . . : n -> T (1) 

given by % (5 o (k x li x 1 2 x . . . x l m ))(x), xHi(x), 77 2 (x)> ■ • • Thus, the 

type T inherits the structure of a probability space from (17, cr(I 7)) and from the 
random variable (1). 

Definition 1 Since the random variable (1) depends on the choice n of param- 
eters for the system S, the probability distribution of T depends on n as well. 
Thus, the probability function on T induced by S and k will be denoted P K . 

If p is a subtype of T, then the probability P K [/ 3] can be defined and possibly 
computed. 

2.4 Probabilistic Safety Claims 

Suppose that the r hazardous conditions H\ H, . the corresponding types 
Ti,...,T r , and the probability distributions of the random variables Hi are all 
known. Let Pi G cr(77) be events in Ti ■ That is, each pi is a subtype of 71, and 
the probability that the value of Hi is an element of pi can be computed. 

In general, the probability that the value of every Hi (for i = 1, . . . , n) is in 
Pi and that the system S takes a value in p is given by 


P K [v(Po, Pi, ■■■,&)]> 

where cr(po,Pi, ■ ■ ■ , Pr) is the concatenation of cr-algebras given by 

a{P 0 ,Pi, ...,p 2 ) = {u>£ T\u}q G Pq , wi G pi, . . . , and u> n G p r }- 

An introduction to concatenations of cr-algebras can be found in [10]. As more 
sigma algebras are concatenated, the concatenation becomes smaller: 


er(/3o) 2 cr(Po,Pi) 2 a(p 0 ,p 1 ,p 2 ) 2 cr(P 0 , Pi, P 2 , Ps) 2 ..., 



and the sequence of associated probabilities is decreasing: 


PkW(Po)\ > P k [<j{Po, Pi)] > P k [v(Po,Pi,P 2)] > P K [a(Po,Pi,P2,P3)] >■■■ 

With this formalism, it is possible to formally state a safety claim in a way 
that can be specified in an automated theorem prover. Let po and p\ be any two 
probabilities, and let po and cco be two subtypes of To- 

Definition 2 A probabilistic safety claim on the system S is a statement of the 
following form: If l ™ eas , . . . , Z™ eas are measured values for the variables of the 
system S such that the system output value S(k'; l ™ eas , . . . , Vfff as ) is an element 
of ao, then the probability that the system S, with parameter set k, takes values 
in Po is between po and p\. i.e. 

P4 a (Po)\ € bo, Pi]- (2) 

It should be noted that the hypothesis that S(k; Z™ eas , . . . , l™ eas ) is an element 
of ao is not needed to formally state a safety claim in a theorem prover. How- 
ever, such a hypothesis will often be required to prove such a safety claim, 
because the expected values of the random variables li , . . . , l m are often equal to 
l™“ 8 , . . . , lm eas , respectively. Thus, the computation of the probability (2) often 
depends on these measured values. 

Another important property of this definition is that the set of system pa- 
rameters k! is different than the set k. In practice, the parameter set k' may be 
chosen so that if S(k; Z™ eas , . . . , Ifff as ) is an element of 7o, then the probability 
P K [cr{Po)\ is more likely to be between po and p\. An example of this is given 
below in Section 3.2, where the radius of the protected zone around an aircraft 
and the lookahead time for conflict detection are artificially increased to ensure 
that if a conflict detection probe returns False, then the probability that the 
two aircraft are actually in conflict (using the correct radius and lookahead time) 
is reduced. 

It is also important to note that neither the infinite product T nor con- 
catenations of sigma algebras are required to make a safety claim on a system. 
However, as illustrated in Section 2.4, both of these concepts are necessary when 
developing a formal proof of such a safety claim. 

An example of such a safety claim, for a conflict detection probe, is presented 
in Section 3. 


2.5 Dependence of System Variables on Hazardous Conditions 

In general, the hazardous conditions Hi for the system S may have an impact 
on the accuracy of the variables of S, which are modeled as random variables 
li, . . . , l m , as in Section 2.1. It is possible to model the dependence of the random 
variables 1, on the random variables Hi using probabilistic kernels. This section 
provides a brief introduction to probabilistic kernels, and the construction follows 
that in [10]. 



Probabilistic Kernels Suppose that the distribution of the random variable 
S K : h? — »• 7o (the output of the system S) depends on the value of H 1 : 12 — » 71 . 
That is, if W! £ 71, then there is an associated random variable 1? — >■ 7o x 71 
given by 

X '-t (S K (x),Ui), (3) 

for % G 1? and the distribution of this random variable depends on the choice of 
<jj\. If this is the case, then there is an induced probability function 

P- 71 x cr(7o) — > [0, 1]. 

Since this function depends on the parameter n of the system S. it will be written 
as p K . Given uq £ 71 and Po £ To, the corresponding output of p K is written 
p K (u> i;/3o), which is the probability that the random variable (3) takes a value 
in /3q x {uq}. If Po and Pi are elements of cr(7o) and <t( 71), respectively, then 
the probability P K [cr(/3o, /?i)], defined in Section 2.4, is given by the Lebesgue 
integral 

P K [a(P 0 ,Pi)]= / / p K (ui-,(kJo)p(<L)i). 

Jui€Pi 

It is important to note that there is no assumption of independence required for 
this equation. In order to compute this integral, it is necessary to know how the 
random variable S K depends on the random variable Hi. 

Probabilistic Kernels with Several Variables The construction of this 
probabilistic kernel can be generalized to handle multiple hazardous conditions 
as follows. Suppose as above that the random variable S K : 1? — > % depends on 
the random variables Hi , . . . , H, . Suppose further that for all i = 1, . . . , r, the 
random variable 77, : fl -£ Tj depends on the values of the random variables 
Hi + i , . . . , H r . That is, S K depends on Hi , . . . , H r ; Hi depends on H 2 , . . . ,H r ; 
H 2 depends on H 3 , . . . , H r ; etc. As above, this means that if i > 0, then for 
Lu'i+i £ 7i+i, . . . , 0 J r £ T r , the distribution of the random variable i? — > Ti x . . . T r , 
given by 

X'-t (Hi(x),u} i+ i,...,u r ), (4) 

depends on the values of w,+i, . . . ,LO r (by abuse of notation, Hq = S K in this 
equation). Further, there is an induced probability function 

p: T r x • • • x 7I + i x cr(7I) [0, 1] 

given by (w r , . . . ,u>i+ 1 ; Pi) >->• p{u r , . . . ,Wj+i; Pi), which is the probability that 
the random variable (4) takes a value in Pi x {aq} x • • • x {w r }. This probability 
is written with a subscript of n if i = 0 to indicate the dependence on the system 
parameter k. If pi is an element of the cr— algebra <t( 7I) for i = 0, . . . , r, then the 
probability P K [cr(/3o, ■ • • , Pr)\ (cf. Section 2.4) is given by the Lebesgue integral 

[ p K (w. r , . . . , wi; duio)p(ur, ■■■, ui;dtui) ■ ■ -p{ur\ dui r -i)p(dw r ). 
w 0 e/3o 

An example of such an integral is given in Section 3.2, where this integral is 
explicitly computed to prove a safety claim for a conflict detection system. 




3 A Proved Safety Claim for Conflict Detection 


This section illustrates the framework presented in the previous sections with 
an example of a safety claim for a conflict detection probe in a 2D airspace. 
This is an algorithm that detects conflicts between two aircraft, referred to here 
as the ownship and the intruder. Its variables include the state information of 
the aircraft, which consists of their current positions and velocities, which are 
represented by points and vectors in R 2 , respectively. 

Aircraft trajectories are represented by a point moving at constant linear 
speed, i.e. , if the current state of an aircraft is given by the position s and the 
velocity vector v, then its predicted position at time t is s + tv. In this paper, 
the vectors s 0 ,v 0 ,s,, and v, represent the ownship’s position and velocity and 
the intruder’s position and velocity, respectively. The formalization presented 
here usually considers a relative view where the intruder is fixed at the origin 
of the coordinate system. The vectors s and v will denote the relative position 
s 0 — Sj and the relative velocity v Q — v,, respectively. 

In the airspace, it is required that aircraft maintain a certain horizontal 
separation, specified by a minimum horizontal distance D. Typically, D is 5 
nautical miles. A conflict detection probe detects conflicts between the aircraft 
over some given lookahead time T, usually less than five minutes. A conflict 
between the ownship and the intruder aircraft occurs when there is a time t £ 
[0, T] at which the horizontal distance between the aircraft is projected to be 
less than D , i.e., 

||(s 0 + tv 0 ) - (s i +tv»)|| < D. 

Since (s 0 +t v Q ) — (s t +t vfl = (s D — s f)+t (v Q — v*), the predicate that characterizes 
conflicts can be defined in terms of the relative vectors s = s Q — Sj and v = v D — Vj, 
i.e., the relative position and velocity vectors, respectively, of the ownship with 
respect to the intruder. The predicate horizontal-conflict?, parametric on the 
lookahead time T and the horizontal distance D, is formally defined as follows. 

horizontaLconflict?(D ,T, s,v) = 3t £ [0,T] : ||s + tv|| < D. 

A conflict detection probe is an algorithm that computes whether the predi- 
cate horizontal-conflict? holds for the current states of two aircraft. One example 
of such an algorithm is cd2d, developed at NASA Langley [6]. Formally, a conflict 
detection probe is defined as a function 

cd:l + xR + ;K 2 xR 2 — > {True, False}. 

It is designed so that cd(D,T;s,v) •<=£■ horizontaLconflict?(D,T,s,\r), for all 
D,T £ R + and s,v £ R 2 . Such a conflict detection probe is a system, as de- 
scribed above. The distance D and time T are parameters of cd because their val- 
ues are typically known to the aircraft without error. For instance, the airspace 
may have a 5 nautical mile minimum horizontal separation, and a standards 
document may define the lookahead time T to be 3 minutes. 



3.1 GPS and ADS-B Hazardous Conditions 


If the ownship is using the conflict probe cd to detect conflicts, it must depend 
on broadcast signals from the intruder to determine the intruder’s position and 
velocity vectors. In this example, the aircraft use Automatic Dependent Surveil- 
lance Broadcast (ADS-B) [8] messages to communicate their positions and ve- 
locities, and it is assumed that ADS-B messages with state information are sent 
by each aircraft once per second. When the ownship uses the algorithm cd, it 
is possible that several consecutive position and velocity updates from the in- 
truder have been dropped due to signal attenuation, which results in greater 
uncertainty in the values of s, and v, . Thus, ADS-B message loss due to signal 
attenuation can be modeled as a hazardous condition: 

H 2 .adsb ■ G ^ T 2 ,adsb T‘2 1 adsb { 0 ? 1, 2, 3, . . . 

The random variable H 2 , a dsb returns the number of consecutive ADS-B messages 
from the intruder that were not received by the ownship, since the last received 
message from the intruder. At a given instant of time when a conflict detection 
probe is used, r will be used to represent this number of consecutive dropped 
messages. The number r is easy for the ownship to compute, since it just has to 
know when the last ADS-B update from the intruder was received. The number 
r is an integer, and t s will be used to represent the time period r seconds. 

In addition, if the conflict detection probe cd is being used by the ownship, 
then the position and velocity vectors s 0 , s.,, v 0 , and v.j will be estimated using 
instruments such as GPS. These instruments can be faulty or have expected 
errors. For instance, there may be some error in the position predicted by a 
GPS device. The effects of uncertainty in positions and velocities of aircraft on 
conflict detection have been studied before [3]. 

Error in GPS is modeled as a hazardous condition as follows. The vectors 
s" 1 and v ” 1 represent the intruder’s reported position and velocity vectors, re- 
spectively, from the last ADS-B signal that was received by the ownship, and 
the vectors s™ and v " 1 represent the ownship’s measured position and velocity 
at that time. The relative vectors s m and v m are defined by s m = s™ — s ” 1 
and v m = v™ — v”\ The true positions of the ownship and the intruder at the 
time when the vectors s m and v m were measured (r seconds ago) are given by 
s 0 — t s v 0 and s.^ — r s Vi, respectively. It is clear that if the measured vectors 
s ™,v™, s (™, and v " 1 have no error, then s m = s — t s v and v m = v. In this 
case, if cd (D,T + t s ; s m ,V m ) = False, then cd(D,T;s,v) = False as well. 
Thus, the symbol e (called GPS error) denotes the fact that one of the following 
inequalities is satisfied. 

(?) ||(s 0 - T s Vo) - S™|| > do ||(Sj - r s Vj) - S™|| > Cli (Hi) 

(ii) ||v D - v™|| > bo 1 1 Vi - vril > bi ( iv ) 

Here, the distances a 0 and a,; and the speeds b Q and bi are predetermined parame- 
ters. For instance, one set of these parameters that is used in the proof of a safety 
claim in Section 3.3 is a Q , a % = 30 m and b 0 , bi = 0.3 m/s, which correspond to 



certain navigation accuracy categories (NACp 9 and NACy 4, respectively), as 
specified by RTCA, Inc. in DO-242 A for precision in ADS-B messages [8]. This 
specification is for 95 percent confidence intervals on the position and velocity 
vectors of aircraft, within the given ranges. Other choices for a 0 ,ai,b 0 , and bi 
may be considered, and thus in the next few sections they are simply treated as 
variables. 

With this construction, GPS error is modeled as a hazardous condition 
P\ ,gp S ' 12 y 'Ji i gp S (where Ti, gP s — {^i^^})- 

The return type T 2 , a dsb of the second hazardous condition H 2 ^ a dsb represents 
the number of seconds since the last ADS-B update from the intruder aircraft. 
If d is any non-negative integer, it is possible to formally define the probability 
that the most recent ADS-B message that was sent by the intruder and detect- 
ed/decoded by the ownship occurred within the last d seconds. 

As noted above, inaccuracies in the measurements of the positions s Q and s, 
and the velocities v Q and v,; imply that the conflict detection probe cd can be 
modeled as a random variable: 

cd£, T • 12 — > To = {True, False} 

X H> cd(D, T ; s(x), v(x)) 

This random variable depends on the hazardous conditions H i gps and i? 2 ,odsb- 


3.2 Probabilistic Kernels in Conflict Detection 

It is clear that the random variable Sd,t , which takes values in {False, True}, 
depends on the hazardous conditions Hi gps and i? 2 ,odsb- Thus, as in Section 2.5, 
if ft 2 c T 2 t adsb,Pi C 7i, gpS) and (3 0 C To = {False, True}, then the probability 
that H 2 ,adsb and Hi gps take values in fi 2 and ft\, respectively, and that cd o,t 
takes a value in /3 q, is given by 


Pd,t[&{Po, Pi, P 2 )] = 




Pd,t (wi , w 2 ; duj 0 )p(u} 2 ;du} 1 )p(du} 2 )- 


As a simple example of this, if * € T 2 ,adsb > then the probability that the random 
variable (conflict probe) cd d,t returns True, that there is no error in GPS, and 
that the last ADS-B signal from the intruder aircraft was exactly i seconds ago 
is given by 


2 3 D,T[c r ({True}, {^e}, {«})] 


Pd,t(vi,ui 2 ; duj 0 )p(u>2; duji)p{duj 2 ) 


J 1 e } *^CcJo^{True} 

= / / p DtT (bdi,i;du) 0 )p(i;du) 1 )p({i}) 

J u;i£{-ie} J cJo^{True} 

= / PD,rhe,i;dujo)p(i;{^e})p({i}) 

J u;oG{True} 

= PD,r(-e, i; {True})p(?’; {^ e})p({i }) 



The random variables c<1d,t, Hi gps , and H 2a d s b are all discrete, so the 
probability that cd d,t returns True, which is given by Pu T[<^({True})], can be 
computed as an infinite sum as follows. 


P -D,T[c({True})] 


Pd,t(wi, w 2 ; dw 0 )p(w 2 ; dtoi)p(duj 2 ) 


^CJ2^{0,1,2,... } J to iG{e,— ie} </cJo£{True} 

= / / PD,T(wi,i;dw 0 )p(i;dwi)p(i) 

^_q J LJiE{e,-ie} J cuo^{True} 


oo « 

= XX / PaHM; dw 0 )p(z; {e})p({z}) (5) 

j=0 -'w 0 e{True} 

p(^e, i; <L> 0 )p(i; {^e})p({z})) 


J cdoG{True} 
oo 

= XX PD ’ T ( e , i; {True})p(z; {e})p({z}) 

+ Pd; rhe, i; {True})p(z; {^e})p({z})) 


i=0 


Distribution of the ADS-B Hazardous Condition Under the assumption 
that there is no ADS-B signal interference due to multiple intruder aircraft, the 
distribution of the hazardous condition H 2 , a dsb follows a Poisson distribution, as 
discussed in [2], In that paper, the probability that a given ADS-B message from 
the intruder aircraft will not be detected and decoded by the ownsliip, which is 
equal to p({0}), is (approximately) given by p({0}) = 1 — (^) with r < ro, 
where k = 6.4314 and ro = 96.6 nmi [2]. The number r is the current distance 
between the two aircraft. Thus, if it is known that the ownship and the intruder 
are no greater than 60 nmi apart, a reasonable distance for most commercial 
aircraft given short lookahead times such as 3 minutes, then p({0}) > 77, where 

77 = 0.953. 

The key assumption that can be used to deduce that H 2 ^adsb follows a Poisson 
distribution is that whether any particular ADS-B message from the intruder 
aircraft is received by the ownship is independent from whether any other, dif- 
ferent, ADS-B message from the intruder is received. Under this assumption, 

p({i}) = 77(1 — ??)* for i > 0. 

This is because the last i messages (sent 0, 1, . . . and z — 1 seconds ago) have been 
dropped, which has a probability of (1 — 77)* of occurring, and the message sent 
exactly z-seconds ago was not dropped, which has a probability of 77 of occurring. 
The equation above can be used to replace p({i}) in Equation (5). 


Probability of GPS Error A key assumption in this example is that proba- 
bilities Psoi Psi 1 Pvo and Pm are known that satisfy the following properties. 



— At any given time, the probability, that the distance between the ownship’s 
predicted position (by GPS) and its actual position is at least a Q , is bounded 
above by p so . 

— At any given time, the probability, that the difference (speed) between the 
ownship’s predicted velocity (by GPS) and its actual velocity is at least b Q , 
is bounded above by p vo . 

— At any given time, the probability, that the distance between the intruder’s 
predicted position (by GPS) and its actual position is at least a*, is bounded 
above by p s .;. 

— At any given time, the probability, that the difference (speed) between the 
intruder’s predicted velocity (by GPS) and its actual velocity is at least b t , 
is bounded above by p v i . 

Specific examples of such numbers can be found in the RTCA, Inc. document 
DO-242A [8], which provides examples for the analyses in Section 3.3. 

At a given instant of time, the actual positions of the ownship and the in- 
truder t seconds ago were given by s Q — r s v 0 and s, — r s Vi, respectively. The 
positions at that time, as predicted by GPS, are by definition given by s™ and 
s™, respectively. Thus, the following four equations hold. 

P[\\(So - T m v 0 ) - s™|| > a Q \ < p so P[||(Sj - T m Vi) - S, m || > a,;] < p si 

P[||v 0 - v™|| > bo] < Pvo -P[|l v i - v.ni > bi] < Pvi 

By the definition of the error e in Section 3.1, p(i; {e}) < p so + Pvo + Psi + Pvi- 
Set p error = Pso + Pvo + Psi + Pvi- Equation (5) implies that if d is any integer 
(a specific number of seconds), then 

E’d.t [cr ({True})] 

OO 

= E ( (PD,r(e , i; {True})p(f; {e})p{{ i}) 
i= 0 

+ PD,rhe, i; {True})p(i; {^e})p {{ *})) 

OO 

< ^2(Perror ~ V Y + Pd,t(~^, i; {True})p(t; {^e})p({i})) 
i= 0 

oo 

— Per r or H - J2po,The, i; {True})p(i; {-e})p({?:}) ( 6 ) 

2=0 
OO 

— Per r or H - E Pd,t{-* , i; {True})??(l - rjj 1 
2 = 0 

oo d 

— Per r or “ 1 “ E 77(1-77)* + y^PD.T(^e,i; {True})?7(l - 77)* 

2=d+l 2 = 0 

d 

Perror + (1 - v ) d+1 + y ^PD,rhe, i; {True})7y(l - rj )* 

2=0 



The number d, which is an element of l 2 ,adsb can chosen so that the finite sum is 
a good approximation to the infinite sum (since (1 — rf) d+l is quite small). This 
equation is true for any choice of d. 


An Upper Bound on the Probability of Failure Equation (6) implies 
that if pD,r( _, e, i; {True}) = 0 for i G {0, d}, then the probability that 
cd(D,T;s,v) = True, which is given by PD,r[n({True})], is bounded above by 
P e rror + (l — r]) d+1 ■ As noted in Section 2.4, to mitigate the effect of measurement 
errors on the conflict detection probe cd, a positive distance ip and a positive time 
A can be artificially added to the distance D and the time T when they are used 
as parameters in cd. The important question here is how large do ip and A need 
to be so that if cd(D + ip,T + A; s m , v m ) = False, then *; {True}) = 0 

for i G {0, . . . , d}. This question is answered by the following lemma. It refers 
to the distances a Q and oq and the speeds b a and ^ that define the probabilities 
Pso,Pvo,Psi,Pvi (cf. Section 3.1). 

Lemma 1. If A = d seconds, ip = a 0 + at + (T + A )(b a + bi), and cd(D + ip,T + 
A; s m , v m ) = False, then pd,t{^, *; { True}) = 0 for i £ {0, . . . , d}. 

Proof. Suppose that holds, and recall from Section 3.1 that r denotes the 
number of seconds since the ownslrip successfully received position and velocity 
updates from the intruder aircraft’s ADS-B device. Suppose that t = i, where 
i < d. Then in order to show that pd,t{^,v,{ True}) = 0, it suffices to prove 
that cd(D,T;s,v) = False. Since t < d, it follows from the hypotheses of the 
lemma that cd(Z? + ip,T + r s ; s m ,v m ) = False. Further, since ~^e holds, the 
equations ||(s 0 — (i sec)v D ) — s™|| < a 0 and ||(sj — (i sec )vj) — s™|| < a, and 
||v 0 — v™|| < b a and ||vj — 1 1 < bi are all satisfied. 

By contradiction, suppose that cd(U,T;s,v) = True, and choose t* G [0,T] 
such that 1 1 s + f*v|| < D. Then t* + t s G [0, T + A] and since s = s D — s, and 
v = v Q — v,;, it follows that 

||s m + (t* + r s )v m || 

= ll(sr-sD + (** + (< sec))(v™-vD|| 

= 1 1(8? - 8?) + (i* + (* sec))(v? - V?) - (s + f*v) + (s + t*v)|| 

= 1 1 (s” 7 - - (s 0 - (i sec)v D )) - (s? - (Si - (i sec )v, ; )) + ( t * + (i sec))(v” 1 ' - v D ) 

- (t* + ( i sec))(v™ - Vi) + (s + t*v)|| 

< ||s? - (s Q - (i sec)v Q )|| + | Is™ - (si - (i sec)v.i)|| + (t* + (i sec))||v™ - v G || 

+ (t* + ( i sec)) 1 1 v™ - Vi 1 1 + 1 1 s + f*v)|| 

< do T a i + if T A )b a + (t + A )bi + D 

< a+ (t* + (i sec ))b + D 

< ip + D. 


This is a contradiction, since cd(Z? + ip,T + A;s m ,v m ) = False and A = d 
seconds. This completes the proof. □ 



3.3 The Safety Claim for Conflict Detection 


The safety claim that can be proved by using Lemma 1 is stated below. It has 
not been formally proved in a theorem prover, but the formal mathematics has 
been developed in this paper that enables a standard mathematical proof. It 
follows trivially from that Lemma and from Equation 6 in Section 3.2. 

Proved Safety Claim for the Conflict Probe cd: Let A = d seconds, ip = 
a 0 + ai + (T+X)(b 0 + bi). Suppose that cd(D+ip,T+ A;s TO ,v m ) = False and that 
the ownship and the intruder aircraft, are no greater than 60 nmi apart. Then 
the probability that the aircraft are in conflict, i.e. that cd(D,T; s, v) = True, is 
no greater than p so + p vo + p si + p vi + (1 - r]) d+1 . 

A missed alert is a conflict that is not detected. Artificially increasing the 
distance D and the lookahead time T in the conflict probe cd will make missed 
alerts less likely. The proved safety claim above gives a formula that returns 
the amount that D and T must be increased, as well as an upper bound on 
the probability of a missed alert if D is increased in this way, assuming that 
the ownship and the intruder aircraft are within 60 nmi of each other. The in- 
puts to these formulas are the distances a 0 and a*, the speeds b 0 and 6, , the 
probabilities p S o,Pvo,Psi and Pvi, and the number of seconds d that T is to be 
increased in the conflict probe cd. Equation (6) expresses the relationships be- 
tween a 0 ,ai,b 0 ,bi,p so ,Pvo,Psi and p V i. Given these inputs, the associated upper 
bound for the probability of a missed alert is 


Pmissed— alert — Pso A Pvo A Psi A Pvi A (1 V) + , (J) 

where, as in Section 3.2, p is a lower bound for the probability that a given 
ADS-B message from the intruder aircraft will not be detected and decoded by 
the ownship, and in this example rj = 0.953. 

In the equation above, the amount ip that D should be artificially increased 
to ensure that the probability of a missed alert is less than Pmissed-aiert is given 

by 

ip = ci 0 A at A (T + A)(6 0 A 6*), (8) 

where A = d second. It should be noted that Equations (8) and (7) imply that 
if the velocity b dominates the calculation of ip, then as ip increases, d increases 
as well, and so the probability of a missed alert decreases. 


Computing Actual Probabilities DO-242A [8] specifies several system per- 
formance confidence-levels that are to be included in ADS-B messages detailing 
how precise and trusted the contained state information is. The relevant ones 
here are the navigation accuracy categories for position and velocity (NACp and 
NACy). NACp is a maximum distance for errors in position; similarly NACy is 
a maximum velocity error. That is, these numbers specify the parameters ao,ai 
and b 0 ,bi, respectively. Both NACp and NACy specify that the stated values 
will fall within a 95% confidence interval, which is equivalent to saying that 
Pso, Pvo, Psi and p V i are all equal to 0.05. Table 1 uses these numbers along with 



Equations (7) and (8) to compute the amount the distance that D needs to be 
increased, as well the associated upper bounds on the probabilities of missed 
alerts for different choices of the number of seconds d. 


Position Error 

Velocity Error 

Time +A 

Buffer ip 

Pmissed— alert 

< 30 m 

< 0.3 m/s 

180+0 sec 

+0.09 nmi (168 m) 

0.24700 

< 30 m 

< 0.3 m/s 

180+1 sec 

+0.09 nmi (169 m) 

0.20221 

< 30 m 

< 0.3 m/s 

180+2 sec 

+0.09 nmi (169 m) 

0.20010 

< 30 m 

< 0.3 m/s 

180+3 sec 

+0.09 nmi (170 m) 

0.20000 

< 185.2 m 

< 1.0 m/s 

180+0 sec 

+0.39 nmi (730 m) 

0.24700 

< 185.2 m 

< 1.0 m/s 

180+3 sec 

+0.40 nmi (736 m) 

0.20000 


Table 1 . Horizontal uncertainty, lookahead, and buffer sizes. The < 30 m position 
error corresponds to the NACp 9 error category (NACp 11 is the most accurate) and 
the < 0.3 m/s velocity error corresponds to the NACv 4 (most accurate) error category. 
The velocity error dominates in calculating ip these cases. When the position error is 
< 185.2 m (NACp 7) and the velocity error is < 1.0 m/s (NACv 3) the position error 
dominates the calculation of ip for lookahead times less than 186 seconds. 


It should be noted that the upper bounds on the probabilities of missed 
alerts in this table are quite high, but that this is not due to imprecision in the 
presented methods. This is mostly due to the fact that the confidence intervals 
specified in DO-242A are for 95% confidence and provide little knowledge of what 
is happening the other 5% of the time. It is quite possible that these formulas 
could calculate the probability of missed alerts to be less than 4 x lCT 9 , if 
1 — (10 _9 )-confidence intervals were available for the positions and velocities of 
the aircraft. 


4 Conclusion and Future Work 

This paper has built on Rushby and Littlewood’s framework [9, 5] for formalizing 
safety claims, specifically providing a mathematical basis for dealing with certain 
probabilistic safety claims. The mathematics behind this is based on the notion 
of probabilistic kernels, which were illustrated in a safety claim for a conflict 
detection system for aircraft. The framework presented allows for an arbitrary 
number of potentially hazardous conditions. Future work in this area will include 
formalizing the mathematics presented here in a theorem prover such as PVS [7]. 
Many of the tools needed for this task already exist, including PVS libraries for 
Riemann integration [1] and Riemann-Stieltjes integration, as well as a Lebesgue 
measure and integration library developed by David Lester. Some additions are 
needed to these libraries to facilitate manipulations of multiple integrals. 

An additional area for future work would be to incorporate a degree of as- 
sumption checking into the framework. This may include formally capturing 
the assumptions of independence between hazardous conditions, which could 



be formed into a verification condition that can be automatically checked for 
inconsistencies by a satisfiability checker (a SAT-solver). 
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